Security researchers at Proofpoint Cloudmark have discovered a new strain of SMS-spread mobile malware that cybercriminals are using to target users in the United States and Canada with Covid-19 lures. The malware has been nicknamed TangleBot due to its many levels of obfuscation and its ability to control a multitude of tangled device functions, including contacts, SMS and phone capabilities, call logs, Internet access, camera, and microphone. As with the FluBot malware, which remains a threat in Europe and the UK, TangleBot tries to trick mobile users into downloading malware by sending fake Covid-19 warning notifications. While some of the text messages used in the campaign contain information about regulations, others provide details about vaccine recalls. As is the case with many phishing campaigns, these messages create a sense of urgency because users may want to know how Covid regulations have changed in their region or may be interested in a Covid-19 vaccine booster for a better protection against new variants. virus.
TangleBot malware
If a user clicks the link in one of the campaign text messages, a website appears informing them that Adobe Flash Player is out of date and needs to be updated. Clicking on the following dialogs installs the TangleBot malware on your Android smartphone. TangleBot is granted privileges to access and control many features of the devices, as mentioned above. With this access, an attacker can now make and block phone calls, send, get, and process text messages, record using the device's camera or microphone, as well as record its screen, place screen overlays on the device to cover legitimate apps, and implement other devices. . observation capabilities according to a Cloudmark blog post. As the company's researchers observed with FluBot, TangleBot can overlay banking or financial applications and directly steal a victim's account credentials. However, an attacker can also use a victim's device to send messages to other mobile devices in order to further spread their malware. Even if a user discovers that TangleBot is installed on their device and removes it, an attacker may not use their stolen information for some time, leaving the victim unaware that their account credentials have been stolen. To avoid falling victim to TangleBot and other mobile malware, Cloudmark recommends that users be on the lookout for suspicious text messages from unknown senders and avoid clicking any links these messages may contain. Users should also avoid installing apps from sources other than the Google Play Store or other official app stores.